Headline

CVE-2021-34076: File Upload vulnerability in PHPOK 5.7.140 · Issue #1 · HolaAsuka/CVE

File Upload vulnerability in PHPOK 5.7.140 allows remote attackers to run arbitrary code and gain escalated privileges via crafted zip file upload.

2 years ago

CVE

Open in Source

#vulnerability #php

File Upload vulnerability in PHPOK 5.7.140

PoC

Enter the background and switch to development mode in the upper right corner

Click Install Application - Import and upload a zip-compressed php file

# 1.php <?php phpinfo();?>

After easily completing the upload, visit the path _app/ and find what we uploaded

This creates a serious file upload vulnerability

Analysis

The upload first calls the zip function without any censorship or filtering of its contents, thus resulting in an arbitrary file upload

/**
     * 制作压缩包
     * @参数 $dir，支持单个文件，目录及数组
     * @参数 $saveName，保存的ZIP文件名
     **/
    public function zip($dir, $saveName)
    {
        if(@!function_exists('gzcompress')){
            return false;
        }
        ob_end_clean();
        $filelist = array();
        if(is_array($dir)){
            $filelist = $dir;
        }else{
            if(!file_exists($dir)){
                return false;
            }
            if(is_file($dir)){
                $filelist = array($dir);
            }else{
                $this->filelist($filelist,$dir);
            }
        }
        if(count($filelist) < 1){
            return false;
        }
        if(class_exists('ZipArchive')){
            $obj = new ZipArchive();
            $obj->open($saveName,ZipArchive::OVERWRITE|ZipArchive::CREATE);//创建一个空的zip文件
            foreach($filelist as $file){
                if(!file_exists($file) || !is_file($file)){
                    continue;
                }
                $name = substr($file,strlen($this->dir_root));
                $obj->addFile($file,$name);
            }
            $obj->close();
            return true;
        }
        foreach($filelist as $file){
            if(!file_exists($file) || !is_file($file)){
                continue;
            }
            $fd = fopen($file, "rb");
            $content = @fread($fd, filesize($file));
            fclose($fd);
            $file = substr($file, strlen($this->dir_root));
            if(substr($file, 0, 1) == "\\" || substr($file, 0, 1) == "/"){
                $file = substr($file, 1);
            }
            $this->addFile($content, $file);
        }
        $out = $this->file();
        $fp = fopen($saveName, "wb");
        fwrite($fp, $out, strlen($out));
        fclose($fp);
    }

After uploading the zip, unzip was called to decompress it, again without any filtered review content

public function unzip($file,$to='')
    {
        if(class_exists('ZipArchive')){
            $zip = new ZipArchive;
            $zip->open($file);
            $zip->extractTo($to);
            $zip->close();
            return true;
        }
        ...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

1 year ago

1 year ago

1 year ago

1 year ago

1 year ago